Security Researchers Document Wiper Malware's Disappearing Act

Following the unrelated "copycat" Shamoon attack, Kaspersky Lab discusses its research into a mysterious attack on Iranian systems earlier this year, stressing that the program known as Wiper did such a good job of deleting itself that little evidence exists.

Late last year and earlier this year, attackers snuck into Iranian systems and did-something. Exactly what happened will likely never be known, however, because their last act was to run a program-now known in the security community as "Wiper" malware-that deleted almost every trace of the attack and then effectively destroyed compromised systems.
On Aug. 29, security firm Kaspersky Lab published its research into Wiper, finding that the program did an extremely thorough job deleting any data that could have documented its activities. The company, which had been called in to investigate the attacks by the International Telecommunications Union, managed to recover some partial registry information and file names, finding that the program wiped files with certain extensions, then focused on deleting the contents of important directories and finally wrote over specific disk sectors to make the hard drive unbootable.

What they did not find was program code-the digital blueprint-that could have given them better insight into Wiper's capabilities.

"We found some traces on some occasions, but it was minimal," said Roel Schouwenberg, senior researcher for Kaspersky Lab. "We tried to find the malware, but right now, everyone is pretty convinced that we never will."
The company decided to publish the sparse analysis of Wiper following an incident earlier this month when another program, dubbed Shamoon, was likely used to attack systems at Middle Eastern oil giant Saudi Aramco. While the destructiveness of the attacks appeared similar, Shamoon had a variety of errors in its code that makes it unlikely to have been written by the same authors.
Wiper, on the other hand, has many similarities to programs created by the platform behind attacks that many believe are sponsored by national governments. The software platform, known as Tilde-D, was used to create Stuxnet, Duqu and other infamous malware. Like those programs, Wiper seemed to have a penchant for configuration, or PNF, files. Where Stuxnet and Duqu used these files to store encrypted parts of their programs, Wiper apparently deleted the files, Kaspersky's researchers stated.
"If the purpose of the attackers was to make sure that the Wiper malware could never be discovered, it makes sense to first wipe the malware components and only then to wipe other files in the system which could make it crash," the analysis stated.
In the analysis of Duqu, Flame and Stuxnet, Kaspersky and other security firms found hints of other components that they had not yet encountered. Wiper could be one of those, Kaspersky's Schouwenberg said.
If the techniques used by Wiper are widely deployed in other malware, it could cause trouble for antivirus researchers looking to gather intelligence on future malware. Capturing enough information for analysis could become more difficult.
Targeted companies and their security firms would have to focus on counterintelligence operations that attempt to actively capture malware for further study. Or, companies would have to write off their efforts investigating the malware on the systems and instead build a model of the program's behavior from network traffic, Schouwenberg said.
"Attackers are already trying to make the forensics process more difficult," he said. "But as companies move toward logging every byte moving into and out of a network-that could counter such tactics."